Data protection policy



Similar documents
GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

CORK INSTITUTE OF TECHNOLOGY

Data Protection Policy

HERTSMERE BOROUGH COUNCIL

ATMD Bird & Bird. Singapore Personal Data Protection Policy

How To Understand The Data Protection Act

Merthyr Tydfil County Borough Council. Data Protection Policy

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

Little Marlow Parish Council Registration Number for ICO Z

DATA PROTECTION ACT 1998 COUNCIL POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

Guidelines on Data Protection. Draft. Version 3.1. Published by

Rick Parsons Information Governance Officer County Hall

Corporate ICT & Data Management. Data Protection Policy

AlixPartners, LLP. General Data Protection Statement

Policy Document Control Page

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

Data Protection Policy

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

The supplier shall have appropriate policies and procedures in place to ensure compliance with

Data Protection Act a more detailed guide

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

The Manitowoc Company, Inc.

Data Protection in Ireland

Information Governance Policy

Data Protection Act. Privacy & Security in the Information Age. April 26, Ministry of Communications, Ghana

Data Protection Good Practice Note

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS

DATA PROTECTION POLICY

PRESIDENT S DECISION No. 40. of 27 August Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

DATA PROTECTION POLICY

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

Data Protection Policy

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Human Resources Policy documents. Data Protection Policy

INFORMATION GOVERNANCE POLICY

Data Protection Policy

University of Limerick Data Protection Compliance Regulations June 2015

Data Protection and Data security Policy

Scottish Rowing Data Protection Policy

DATA PROTECTION POLICY

CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES

Personal Data Act (1998:204);

DATA PROTECTION POLICY

Human Resources and Data Protection

How To Protect Your Personal Information At A College

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

UNIVERSITY COLLEGE LONDON CCTV POLICY. Endorsed by the Security Working Group - 17 October 2012

DATA PROTECTION AUDIT GUIDANCE

Data controllers and data processors: what the difference is and what the governance implications are

How To Protect Your Data In European Law

Proposal of regulation Com /4 Directive 95/46/EC Conclusion

White Paper Security. Data Protection and Security in School Management Systems

Information Governance Policy

Data Protection Guidance

Data Compliance. And. Your Obligations

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

So the security measures you put in place should seek to ensure that:

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Data Protection Policy June 2014

Data Protection Policy

on the transfer of personal data from the European Union

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

DATA PROTECTION POLICY

PRIVACY POLICY Personal information and sensitive information Information we request from you

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection

Data Protection for the Guidance Counsellor. Issues To Plan For

DATA PROTECTION CORPORATE POLICY

Clause 1. Definitions and Interpretation

UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY

Evolve Financial Solutions Mortgage & Insurance Services & Costs

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Data Protection and Privacy Policy

Appendix 11 - Swiss Data Protection Act

Access Control Policy

Data Security and Extranet

DATA PROTECTION AND DATA STORAGE POLICY

John Leggott College. Data Protection Policy. Introduction

Transcription:

Data protection policy Introduction 1 This document is the data protection policy for the Nursing and Midwifery Council (NMC). 2 The Data Protection Act 1998 (DPA) governs the processing of personal data It requires that personal data and sensitive personal data must be processed by data controllers in accordance with the eight data protection principles. The NMC is a data controller under the DPA. 3 All processing of personal data by or on behalf of the NMC must comply with the DPA. Aims of the policy 4 The aims of the data protection policy are: Scope 4.1 to state the NMC s commitment to compliance with the DPA and the eight data protection principles 4.2 to outline how the NMC will achieve compliance with the DPA 4.3 to state the responsibility of all those working for or on behalf of the NMC to comply with the DPA. 5 This policy applies to all personal data as defined by the DPA, in both electronic and paper form, held by the NMC, transferred to or exchanged with third parties, or held by third parties on behalf of the NMC. Roles and responsibilities 6 The ultimate responsibility for the NMC s compliance with the DPA lies with the Chief Executive and Registrar. 7 The Performance and Resources Board is responsible for maintaining this policy and may delegate responsibility for approving changes to the policy to the Information Governance and Security Board (IGSB). 8 Specific roles and responsibilities in relation to compliance with the DPA are set out in the Information Security Roles and Responsibilities RACI chart. Approved by IGSB December 2015 Page 1 of 5

9 Managers within every business area are responsible for implementing and ensuring compliance with data protection procedures in their areas. This includes the requirement to take all reasonable steps to ensure compliance by third parties which process personal data for which NMC is the data controller.. Compliance 10 All those working for or on behalf of the NMC are required to comply with this policy. 11 Any alleged breach of this policy may result in an investigation which may result in action being taken by the NMC up to and including dismissal; removal from office; or, termination of a contract for services. The NMC will cooperate with law enforcement authorities if a criminal violation is suspected, and it reserves the right to claim compensation from the individual(s) through normal lawful processes in the event that the NMC suffers damage. Policy review 12 This policy will be reviewed annually, or more frequently in the event of any legislative or regulatory changes. Communication 13 Full copies of this and other policies and guidelines are available in the NMC's Trim document management system and on the inet. 14 A copy of this policy in Welsh can be supplied on request. Definitions of personal data and sensitive personal data used within the Data Protection Act 1998 Personal data 15 Personal data is information which relates to a living individual who can be identified: 15.1 from that data 15.2 from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and 15.3 and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Page 2 of 5

Sensitive personal data 16 Sensitive personal data is personal data which consists of data related to the data subject s racial or ethnic origin political opinions, religious or similar beliefs, trade union membership, physical or mental health, sexual life, the commission of offences or criminal proceedings. Policy statements The data protection principles 17 All those working for and on behalf of the NMC must comply with the data protection principles enshrined in the act which state that personal data must be: 17.1 processed fairly and lawfully 17.2 only obtained for specified and lawful purposes and not processed in a manner incompatible with those purposes 17.3 adequate, relevant and not excessive in relation to the purposes for which it is held 17.4 accurate and, where necessary, kept up to date 17.5 kept for only as long as is necessary 17.6 processed in accordance with the rights of data subjects under the act, including the data subjects right of access and right to object to the processing of their data in certain circumstances 17.7 protected from unauthorised and unlawful processing; accidental loss, destruction or damage by having appropriate technical and organisational measures in place 17.8 only transferred outside the European Economic Area (EEA) where an adequate level of protection for the data can be ensured. Processing and use of personal data 18 The NMC processes personal data about registrants, those working for and on behalf of the NMC, stakeholders, and other individuals, in order to fulfil its purpose and meet its legal obligations. Personal data will only be processed lawfully and fairly in order to fulfil NMC s purpose and meet its legal obligations. 19 All those working for an on behalf of the NMC must follow NMC procedures relating to the processing and use of personal information. 20 The NMC will inform data subjects of the uses of their data in accordance with the requirements of the DPA. Page 3 of 5

Use of monitoring and surveillance technology 21 Any deployment of audio recording, video recording, CCTV or other monitoring and surveillance technologies will be in compliance with the DPA. Right to access information and subject access requests 22 Anyone has the right to request access to personal data that is being held about them by the NMC. 23 Anyone wishing to exercise this right should make the request in writing to the Records Manager, Records and Archives department or complete and submit the online form on the NMC website. 24 Requests for personal information will be handled in accordance with the Data Protection Act 1998. Complaints procedure 25 Anyone who considers that this policy has not been followed may make a complaint following NMC s complaints procedure. Data security 26 All those who process personal data for which NMC is the data controller are responsible for ensuring that any personal information that they process is kept securely and is not disclosed in any form to any unauthorised third party. 27 Any sensitive personal data which is to be sent outside NMC premises must be secured against unauthorised disclosure. Data sharing 28 Any sharing of personal data with external third parties must comply with NMC s Data sharing and disclosure policies. Incident reporting 29 All those working for and on behalf of the NMC must report any information security incident which involves the loss or potential loss or the unauthorised disclosure of personal data by following the Serious Event Reporting process. Page 4 of 5

Glossary Data controller Data processor Data subject Personal data Processing Sensitive personal data A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. The term comprises not only individuals but also organisations such as companies and other corporate bodies of persons. Any person (other than an employee of the data controller) who processes the data on behalf of the data controller. Any living individual who is the subject of personal data. Information which relates to a living individual who can be identified from that data, from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Any operation or set of operations performed upon personal data, whether or not by automatic means. These include collecting, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. Personal data which consists of data related to the data subject s racial or ethnic origin political opinions, religious or similar beliefs, trade union membership, physical or mental health, sexual life, the commission of offences or criminal proceedings. Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information